CVE-2026-4858
Analyzed Analyzed - Analysis Complete
Path Traversal in Mattermost Integration URL

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: Mattermost, Inc.

Description
Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to check integration URL for path traversal which allows an malicious authenticated user to call an arbitrary API via system admin Mattermost auth token using via path traversal in integration action URL.. Mattermost Advisory ID: MMSA-2026-00640
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-4858
EUVD
EUVD-2026-31242
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mattermost mattermost_server From 10.11.0 (inc) to 10.11.15 (exc)
mattermost mattermost_server From 11.4.0 (inc) to 11.4.5 (exc)
mattermost mattermost_server From 11.5.0 (inc) to 11.5.4 (exc)
mattermost mattermost_server 11.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in certain versions of Mattermost (11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14) where the software fails to properly check integration URLs for path traversal.

Because of this, a malicious authenticated user can exploit the path traversal in the integration action URL to call arbitrary APIs using a system admin Mattermost authentication token.

Impact Analysis

This vulnerability can have a severe impact because it allows a malicious authenticated user to perform actions with system admin privileges by exploiting the path traversal flaw.

The attacker can call arbitrary APIs, potentially leading to full compromise of the Mattermost system, including unauthorized access, modification, or deletion of data.

The CVSS base score of 8.0 indicates a high severity, with high impact on confidentiality, integrity, and availability.

Mitigation Strategies

To mitigate this vulnerability, you should update Mattermost to a version later than the affected versions (11.6.0, 11.5.3, 11.4.4, 10.11.14) where the path traversal issue in integration URLs is fixed.

Additionally, monitor the Mattermost Security Updates page for official patches and advisories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4858. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart